[Owasp-leaders] The Only Thing That Is Constant Is Change

Andrew van der Stock vanderaj at owasp.org
Mon May 9 07:34:02 UTC 2016

I see this as being

a) how do we mature OWASP projects? OpenSAMM or CII or both
b) Can OWASP Foundation provide the infrastructure and tooling to allow
these metrics to be met using automated means, thus improving our
understanding of incubator, labs, mature, and flagship projects?
c) What is valuable to us as an organisation? We should work on those

In the first instance, asking our flagship projects to self-assess if they
are coding projects is going to be a light touch approach, and helps us
understand where projects could invest SoC funding or drive volunteer
effort in a targetted and focused way.

So many times, people add complexity and features to an application, but do
not drive quality and all the -alities of a good software project.

Personally, we have a home grown set of principles with OpenSAMM, some of
the best value for OWASP project *users* and *project owners* might be in
the intersection of these two things.


On Mon, May 9, 2016 at 6:18 AM, Larry Conklin <larry.conklin at owasp.org>

> Johanna,  I think this is a may be a fair statement "*Being someone who
> has looked closely most projects code and development process, I can tell
> with confidence , most, including those labeled as flagship , won't be able
> to comply with these norms*" but I am not as familiar with all the
> projects as you are.
> But I think we have to step back a little a review.
> This process is for the badge part is a self assessment. That said all
> developers in SourceForge, etc would never over state their own projects.
> lol But I think is is a great idea and OWASP is moving down the same path.
> Our process that we are developing is a mix of self assessment and peer
> review. More emphasis with peer review will be placed on Flagship projects
> and not just self assessment. Also another major difference is we are also
> trying to accomplish something different then what CII is trying to
> accomplish and more inline with Apache open source. That is corralling in
> the Wild Wild West and having projects have some of the same rigor that
> Chapters have today. Like all projects have two leaders. Besides the self
> assessment and peer review we are also looking at what we can automate to
> help us.
> But I will be honest I think something keeps getting left out of the
> discussion; Making OWASP a great place for security code projects. We are
> well on our way rock and rolling with conferences, chapters, web, cheat
> sheets, documentation. Now we need to rock and roll with Zap and other
> projects making OWASP to place to be for secure coding projects helping
> with application security. I would like to see more discussion on this.
> I have reviewed the badge process. A lot of it is now covered in our
> assessment model. So that is a great thing and I thank you for bringing
> this process into the discussion. It is important.
> Larry
> On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Tom,
>> CII Badge criteria is a heavy set of checklist to control that an open
>> source project complies with certain norms in different fields such as
>> proper development and security
>> Being someone who has looked closely most projects code and development
>> process, I can tell with confidence , most, including those labeled as
>> flagship , won't be able to comply with these norms
>> Right now I think OWASP needs to set focus on developing a better
>> platform to attract developers, volunteers and project leaders, motivating
>> them to produce quality projects.
>> A volunteer program and platform that can help match volunteers with
>> initiatives and projects.
>> Producing a quality project like ZAP needs dedication and resources
>> including a deep commitment to make it work. ZAP project leader and
>> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
>> project.Even so ZAP is right now 92% compliant with the CII criteria and
>> still needs to work on it.
>> Most project leaders are doing this as side-hobby projects and in this
>> way , we will never be able to pull off projects compliant with CII
>> criteria.Most are lonely leaders building their projects when they have
>> time and once in a while they have the collaboration of contributors.
>> So we need to be realistic and be careful not to impose projects a
>> criteria or process they will never be able to fulfill without the right
>> platform and incentives.
>> As I mentioned before I strongly recommend to focus on creating and
>> building a volunteer program and really think through how to attract and
>> retain volunteers, create initiatives that can help produce quality
>> projects and work with those project leaders looking for help.
>> Collaboration and support is the key for creating meaningful and lasting
>> open source projects.
>> Regards
>> Johanna
>> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
>> wrote:
>>> "The stakes have never been higher for open-source software security.
>>> With millions of people around the world relying on open source software —
>>> and vulnerabilities like Heartbleed putting everyone at risk — it's time to
>>> change the way we support, protect, and fortify open software."
>>> Interesting article and project(s) now available
>>> http://www.linuxinsider.com/story/83463.html
>>> Why should OWASP code based projects not work together on this
>>> initiative in raising visibility for Software security, improving our
>>> project quality and management.
>>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
>>> https://www.coreinfrastructure.org/programs
>>> Tom Brennan
>>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6
>>> DC6A A
>>> OWASP Foundation | www.owasp.org
>>> Tel:  (m) 973-506-9304
>>> Need to book time with me to discuss an existing or a future project
>>> click on my virtual calendar http://www.proactiverisk.com/brennan
>>> The information contained in this message and any attachments may be
>>> privileged, confidential, proprietary or otherwise protected from
>>> disclosure. If you, the reader of this message, are not the intended
>>> recipient, you are hereby notified that any dissemination, distribution,
>>> copying or use of this message and any attachment is strictly prohibited.
>>> If you have received this message in error, please notify the sender
>>> immediately by replying to the message, permanently delete it from your
>>> computer and destroy any printout.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160509/b6109970/attachment-0001.html>

More information about the OWASP-Leaders mailing list